Cybersecurity Economics for Tribal Casinos: Key Takeaways from Our Webinar

If you’re leading a casino in Indian Country, you’ve likely asked yourself: “How much should we really be spending on cybersecurity?” It’s a tough question, especially when you’re balancing security investments against other operational priorities.

Everyone, it’s Chris Feria, executive editor of Tribal Gaming and Hospitality Magazine. Welcome to the webinar cybersecurity economics for tribal nation casinos. All registered attendees will be sent a link to the recording so that they can share and review with any team members as well as a copy of the PowerPoint. In today’s webinar, REDW cybersecurity principal, John Graham, introduces the left of boom, right of boom economic framework, showing how to balance prevention with response, leveraging sovereignty to build resilience, address ransomware, AI powered attacks, and third party risk, and navigate new regulatory requirements and best practices. John is a distinguished cybersecurity and technology executive with over two decades of global leadership experience across Fortune two hundred companies. His career spans critical sectors, including financial services, aviation, health care, manufacturing, and technology. Known for his ability to align security strategy with enterprise vision, transform IT organizations, and cultivate cyber resilient cultures, John has long served as a trusted adviser to boards and executive teams. John is also joined today, by Tricia Wilbrand, senior cybersecurity consultant, and Jennifer Moreno, information technology and cybersecurity consultant. That’s as much as I’m going to talk today. John, Tricia, Jennifer, welcome. John, the floor is yours. Chris, thank you so much. I really appreciate the the great intro. Let me bring up some slides, and as Chris mentioned, I really want this to be interactive, so please feel free to interrupt, post your questions, whatever comes to mind, feel free to jump in, and let’s make this interactive and have a good day today. So let’s start out with a couple of slides here just to level set. So as Chris mentioned, I’ve been in cybersecurity since around the year two thousand. The majority of my career has been spent in companies and global enterprises building their cybersecurity programs. I joined REDW earlier this year so that I could honestly give back at this point in my career. And I’m really pleased to have Tricia and Jen join me today in this presentation again. So any questions that come up, please go ahead and and ask and and throw them out. Just to start and level set without getting into a whole lot of what we call fear, uncertainty, and doubt, I think you all have seen and should know that there are challenges going on around cybersecurity and casinos and gaming, in the travel area. Just this year alone, even though not on the slide, we have seen five different casinos hit with ransomware, one in February, one in April, one in May, and one in July of this year. So when you get to this and you start looking at, well, what does that cost? There’s an operational interrupt that happens. So the casino can be basically unusable for a period of time, so you’re losing revenue. You can lose, you know, branding and face, if you will. And so when you look at that and you go, okay, what’s the cost of that? The average cost is around ten million and that actually does translate into what we see in the tribes as well. There’ll be a little bit further breakdown on that too. The other thing we wanna talk about is this unique regulatory and sovereignty landscape that increases the risk, because a lot of the organizations aren’t speaking with one another. So there’s not a unified front. That being said, and I will reference this later, the National Indian Gaming Commission really has some good materials that you can leverage, and we recommend you do leverage those. So bringing up this concept and framework of left of boom, right of boom. The reason this is important is we want you to think about the concept of being proactive in how you build a cybersecurity plan or a cybersecurity program and how do you bring in the reactive side of that? So there’s this notion of a NIST cybersecurity framework, and that’s at the bottom. The identify, protect, detect, respond, recover, and then govern. And the NIST CSF, this framework, actually aligns really well to what we see in the NICG’s cybersecurity guidance as well. So it shouldn’t be really foreign, but the whole point is there’s the left side, which should be proactive, where you’re training your employee base, you’re you’re actually identifying where your risks are, You’re putting in different types of protections, and then there is the post breach or after something happens, how do you respond? You’ve detected it. Now what do you do? And where does that expense come from? So if we look at this a little bit more detail, the left of is very focused on prevention, preparation, risk mitigation before an incident occurs. So the right of boom is that response recovery post incident activities, and the boom is the actual event. So I’ll give you a scenario. Last year, a company called CrowdStrike, and it’s not real relevant what the company name is, they had an issue. It wasn’t a cybersecurity event, but it was an issue that actually caused computers to go down, and it happened globally. The team that I had at an aviation company, we had been preparing through what they call tabletop exercises and testing the whole proactive side of the equation. So how do we identify an issue? How do we, you know, protect against it? And how do we detect when it’s occurring? At one twenty in the morning, we saw that CrowdStrike had an issue and it actually caused the computer systems, many of them across eight thousand employees, to actually be nonusable. And this also included some of the internal systems that ran our operations as an aviation company. So at one twenty in the morning, our team got on the phone. We started working the incident. So we started responding to the incident and the event. By five AM, we actually had the company operational. So we had gone through using the testing we had done, using the preparation we had done, we knew which systems were critical to be restored first. We knew which ones meant that we could actually operate and have aircraft take off and and move passengers. And so we actually focused on those things. And by five AM, we had the company operational for the day. By six AM, we had sent out a communication to our client base telling them we were operational. If you compare that at the time, and you can you can Google and look it up, if you compare it at the time to some of the commercial airlines like Delta Airlines as an example, Delta had trouble for the next two weeks where they had issues. They could not get their their scheduling back on track. They had aircraft that were not actually able to leave and move passengers most of that same day. And so by having that proactive stance, even though we didn’t spend extra money doing it, we actually had done the muscle memory. We had the teams trained. We knew which assets were key for us to actually go focus on proactively so that when an event occurred, the response was really quick. On the other hand, you know, some of the others that we saw, the response was slower, and it was very more it was difficult for them to actually get back to an operational state. So that’s really the construct and why it matters is, you know, you focus your resources on that proactive stance and you focus them on what makes you, sustained and resilient to an attack or an event that happens, whether it be in the casino or whether it be the casino that affects the rest of the nation, either way. So a couple of things on the current threat reality. Ransomware is still a really big deal, And what we’ve seen is that there are less criminal groups performing ransomware, but the ones that are performing it are getting more proficient. And believe it or not, they think that they are believe actual businesses, and they think that they’re doing a good thing in the way that they operate. So they will actually ask for a ransom that is aligned to your casino’s revenue. And so they’ll they’ll they’ll try to ask for something that they believe you can actually pay, believe it or not. So one way to think about ransomware is think about the fact that imagine somebody breaks into your tribal office at night, And instead of stealing everything and leaving with it, they actually apply new locks to your file cabinets, and they they lock the doors with a new lock that that you can’t have access to. And they take your safe and they and they add another lock to it so you can’t get into it. And then they leave a note for you and they say pay us fifty thousand dollars within three days or we’re gonna put all of your information and everything in your filing cabinets out in the middle of the street. That’s how ransomware works, believe it or not. And so, you know, the criminals believe, and they’re they’re all over the world, and they are working as though they were a business. Believe it or not, they will have a support desk. They will have different groups that actually perform different types of the attack. So they have a group, as an example, that may do the phishing email campaigns to try to get somebody to click on an email. They’ll follow that with a group that actually receives the notification and then tries to attack and and use that information to get into the company. They’ll hand off to another group that may bring in the malicious code that actually is the ransomware. So these are organizations that actually operate as though they’re a big company. And then when they put the ransom on you, they may or may not actually remove it if you pay them. So you have to think about, you know, you’re dealing with an organization, not an individual in a basement with a hoodie on, like we used to think about criminals in the cyber world. So hundreds of millions of dollars, if you look at overall, just tribal casinos and gaming, but overall, you’re at about four point four five million globally in impact in terms of breach cost over the past year. It’s just phenomenal. And it’s very unfortunate, but it is the world that we live in. So real quick, let’s get into a poll and see how everybody feels. And if there are any questions, be glad to take those. Alright. Alright. Thank you very much for that, and I would agree. I have been concerned most of my professional career in this space. Although I did finally get to the point where I could sleep at night, it took it took a while. So staying on this topic of left and right of boom, and and as Chris mentioned when we opened the webinar, we are giving you this slide deck. So really want you guys to use this in your own organizations and and in your own groups to help explain why it’s important to to try to do the proactive pieces. The prevention is five to ten times more cost effective than the response. So and this means things like broad terminology, infrastructure hardening. That that could mean, you know, do I have more than one network into my building? It could also mean, am I patching my systems, as an example. Network segmentation, a big word, but if you think about if you if you have a physical building with different rooms in it and you bring bring people in to meet with you, you know, you may escort them to a certain room and shut the door, and they’re segmented from the other group you bring in and escort to a different room and shut the door. So that’s all that network segmentation means in a technology term. And what we’re referring to here is segment your your gaming from your healthcare, segment it from your government, you know, segment it from even the gaming from the personnel files that are in the casino and help manage the employees, so that you have some limitation if somebody breaks in, they can’t get out of that room. That’s what segmentation means. Staff training, super important. We really, really focus at REDW in particular on sustainability. We want your organization to grow a sustainable program. One way to do it is train the teams and train the organization so that culturally you’re focused on how do I avoid a cybersecurity impact, or if I see one, how do I respond to that? This notion of vendor risk management, you have many different suppliers and vendors from the custodial staff that physically comes into your building to the groups that may help you with with cybersecurity or the groups that may help you with IT and technology. So how do you manage those vendors relative to their getting attacked or their cybersecurity resilience? You know, if you have a vendor that provides your website and web gaming, you know, or your your app or mobile apps that do gaming. How do you ensure that they actually are resilient to an attack and can still offer that service if something happens? That’s what vendor risk management is all about. And then this construct of backup systems is very, very basic, but it does have its pitfalls. So what it means is taking copies of your systems on a recurring basis, and you wanna either have them leave the facility or be up in the cloud or be somewhere other than local to the system. It’s that’s that’s there. Because if it gets attacked, don’t want the backup to also be attacked. Or if you have a a weather related event that that impacts the building, you don’t want to actually, you know, see that impact hit the backups as well at the same time. So, again, help trying to help frame this notion of left of boom and and the prevention side of this. The ROI calculation truly is every one dollar in prevention saves around five to ten in incident response. So if you do nothing in the prevention side at all and you have an impact, you’re almost always going to be paying extra five to ten to recover because you’re gonna have to find people to help. You’re gonna have to learn, you know, either you don’t have backups and you and you can’t restore from anything, you have to kinda start over, things of that nature, and it gets really, really expensive. And so that that ounce of prevention really is a big deal. So let’s ask one more polling question then about the economic impact and cost. Okay. Excellent. Yep. And I would agree the downtime and the impact is the one that is most critical. And that’s the one, again, like, even the example I gave you at the aviation company I was in, because we had done the preparation and we had actually done the the testing of our processes and our plans and we knew what areas needed to be recovered first, we were able to be operational, you know, around five AM that morning when a lot of the the other aviation companies simply were not. And the difference in impact was massive at at that that scenario, you know, and and we ended up in a favorable situation luckily, if you will, but but that preventative side really, really did help it. So let’s look at a couple of the travel specific investment priorities. Obviously, you know, everybody or the majority of you on the this webinar are in the gaming system side. So without getting into a whole lot of detail, you know, you the gaming system protection is crucial to to what you’re doing and what you’re providing as a service, and and how you’re supporting your customers. It’s not something that you think about second nature. I’m sure it’s it’s something you deal with every day. And so how you deal with the server based gaming is the same as you would deal with any technology. The slot machine security as well, I’m sure you’re heavily focused in that area. And so there’s not a whole lot of reason to kind of dig deeper into it. The customer data security side, player tracking and and payment processing, that could be a little bit different. Even though you’re a sovereign nation, you know, some some elements of privacy do stand for the individuals of the state or the region that they’re coming from relative to their own privacy. So it’s important to kind of be aware of, you know, those things could impact how you handle their data on their behalf. Such as a European Union resident has what’s called GDPR as a as a requirement on how you protect their personal information, like their name and address and passport number, things of that nature. So if they’re visiting you and visiting your casino, there is a connection between how you have to protect their information. The same goes with with residents of New York and residents of California as well as most of the states in the US. Regulatory compliance, the NIGC and state compacts. Again, I mentioned the NIGC before. They actually have a tremendous amount of information that hopefully you’re already leveraging, and if not, I would recommend you you reach out. They’re they’re doing a lot around the cybersecurity readiness. They have a publication that’s available in a PDF. They also have some subscriptions you can sign up for, newsletters and and threat information, I think, that they’re putting out, which is fantastic. So I would definitely try to engage and and get get associated with them. This notion of a third party vendor management, we talked a little bit about that a few minutes ago. So there is this this concept of a security assessment, and the way those used to happen for third parties is there would be a big questionnaire, an Excel spreadsheet of of three hundred questions you would send to your third party, and they would answer them and send them back and you would evaluate their answers. And that’s fraught with a lot of challenges. One, it’s it’s overhead intensive. It requires a lot of resource to do that activity, manual resource. And number two, the third party can answer it any way they want. So there are some newer systems out there that actually look at a company from the outside from the Internet, and then they add a score to them. And if that score changes, they’ll notify you. Those types of services are how I’ve done third party vendor management over the past probably ten years at different companies I’ve worked at, where we monitor the third party from the outside looking in at their cybersecurity posture. And then if their score drops, we’ll contact them and ask them, have they seen this? Did they respond to it? How are they addressing that drop or that gap in their cybersecurity program? And it’s been more fruitful to do that because then you’re engaging with the third party. It’s low overhead for your organization, and I think you get a better result out of it. And then funding and resource allocation. Here again, I I think there’s a real challenge that I’ve seen, and and that’s one of the reasons we focus this whole webinar on the economics is we really wanna see the sustainability happen in the organizations. And believe it or not, the companies that I’ve run programs in, in a large global manufacturer, we were running at about two dollars and seventy cents per employee per day for the cybersecurity program. And that was across seventy five thousand employees. The last company that was an aviation company, we had about eighty two hundred employees, and we were running at three dollars and thirty two cents per employee per day. So if you look at a group, if if you’re a casino and you have three hundred employees at three dollars per day, you know, you’re you’re talking about a cybersecurity program of around three hundred and thirty thousand dollars a year. That includes the people to manage it and all of the technology to actually allow the controls to be in place. Controls you probably heard about, like multifactor authentication or vulnerability scanning and things of that nature. So just to give you some idea of what that program in total should cost on an annual basis. Again, if you’re three hundred employees, you should be around three hundred and thirty thousand dollars a year, honestly. And that again includes the staff, the technology, the controls and everything else. The other piece in here that I want to really focus on is this phased implementation. None of the programs I’ve ever run for companies started at zero and went to a hundred in the first year. They’re all phased in over multiple years to gain maturity so that the organization can actually consume and learn how to protect itself and be sustainable and resilient. So again, I would say step back and look at what you’re doing today and see how it compares to some of those numbers we just talked about. Couple other things, again, just to throw out. We talked about network segmentation before. There’s this notion of zero trust access. Again, I I won’t dive into the technology a tremendous amount. What I will tell you is the future of how companies protect themselves is in this construct of zero trust access. Encryption is important only because of quantum computing. Quantum computing, some of the researchers are suggesting it may be here as soon as twenty twenty eight or twenty thirty. And the the important piece is it will require a different type of encryption than most companies have in place today. So you wanna go ahead and start thinking about as you’re signing on new technologies and things in your contracts, please start putting in there the notion of the third party has to be quantum ready around cryptography. Because if you don’t, you’ll you’ll get into a contract. If you get into a three year contract next year, you’re going to hit twenty twenty nine. And if it comes into fruition in twenty twenty eight, you would have already missed that contractually. Some of the other things, gaming specific controls, talked a little bit about before. And then again, the last one I want to really focus on again is this human factor around awareness training. This notion of phishing simulation is super important and that’s where you’re actually testing your organization and giving them small bits of training. If they if they click on an email that they shouldn’t have clicked on, nothing nothing really big and overhead, not twenty minutes of training, but just a little snippet of, hey. That wasn’t right. Here’s how it wasn’t right, so they learn, real time. And then incident reporting is super important. This notion of see something and say something. Very important to get that into your organization through awareness training and have an outlet for them to actually report out if they see something. Incident response and recovery economics. So now we’re on the right hand side of the boom. So how do you actually prioritize, know what you’re going to be recovering, and get ready to actually respond? And a lot of this, like I said earlier, is really around the preparation. How do I actually build the processes, train on it, and then actually test and and and make sure that it can happen? The team I had, again, in the aviation company, I was there four and a half years, and we actually trained with a scenario, a fake scenario. Every quarter, we trained the cybersecurity team, and every year, we trained all the way up to the CEO and the board. And the intent was to build the muscle memory. The yearly one included outside communications and media groups. It included outside legal teams as well, and it allowed us to go through the process of how does it feel when we’re in a situation and we have to make these decisions. Again, how do you bring the tribal governance in to help make a decision on am I gonna pay a ransomware or am I not gonna pay a ransomware, you know, you know, in in that particular situation? How do I contain something if it’s if it’s it’s being attacked? And how do those decisions happen? You know, those are things that you want to build into your muscle memory so that they’re not brand new when it actually happens. You wanna actually go through and teach the teams and build that resilience into the organization. And so back to, you know, the poll question about economic impact, you guys said it right away, is the direct downtime is really where you you see an impact, and I don’t disagree. Some of the hidden things that are indirect are reputational or even fines. You know, Canada recently fined a a Canadian tribe because they had an incident and they didn’t report it, believe it or not. And I think it was around a one point two million dollar fine that they were hit with for not reporting. And so, you know, you need to make sure you bring those things in. Other hidden things are, you know, the insurance cost. Even if you have cyber insurance, if you haven’t done the basic controls, a lot of times they won’t add coverage to you when you’re in an event and they see, oh, well, they didn’t do some of the basic things. And then there’s this notion of competitive disadvantage, and and I think that just goes back to brand. Back to the the cost again, just a couple of case studies I looked at, they rounded out to be around two to five million in in actual incident cost. And that means, you know, when the impact happened, what did it take to actually recover them and get them back operational? Alright. So another quick poll for everyone around incident response and readiness. Okay. Awesome. Outstanding. I love seeing that. Yes. That’s fantastic because you are building muscle memory. Anybody who’s already doing those, incident response test and tabletops and things, that’s fantastic. So let’s shift gears and talk about your comprehensive cyber program. And I intentionally used a picture here from a physical police department as an example to show you how it compares to a house. So if you think about burglary by the numbers and you look at this picture, it should really resonate and and be pretty straightforward to you. It’s basically telling you when they look at break ins of homes and residences, where do the people break in? So, you know, two percent happen in a second floor, twenty two percent in the back door, thirty four percent in the front door. That’s how they break into a house. So what you really need to do is step back and look at the cyber world the same way. Okay? How am I how am I looking at my organization and, you know, where are the potential risks and where do I have controls or where do I not have controls and, you know, where are people trying to attack us. Or another way to do it, and we used to do this all the time, is what’s happening in the world around us? Even though it may not be impacting me, how did that other group get hit, and what did we learn from how they got hit, and what they had as controls or did not have as controls. So what we wanna see in these programs is governance and leadership at the top. So we want the tribal council engaged, we want cross functional teams, we want a policy framework. And to to be clear on the policy piece, this doesn’t mean that you have a team that sits in an office and writes a policy and sends it out and says, hey. Here’s the policy. It’s done. It needs to be ratified by a group, and usually that would be the tribal council or cross functional team that actually agrees and and ratifies or accepts that we’re gonna operate with these policies. Super important because they have to have authority behind them. An actual staffing strategy, you know, where you have internal training and you bring in some external expertise and and you build a culture of sustainability and continuous learning within that staff, in that group. Again, important. When I’ve built cyber programs in the past, we would bring in two college interns a year and then have them actually come up through the ranks over the years so that we could build sustainability within the team instead of always bringing in people at a high level of training and a high skill set, because they’ll stay for a certain period of time and leave. But we found that if you bring in people in at the beginning of their career, a lot of times they really enjoy and stay and you can move them around to do different roles that they’re passionate about. So you wanna make sure you really have a staffing strategy to help that group and that organization be sustainable. And then, again, you want to put some actual key performance metrics in place or key measurements in place. Left to boom, vulnerability reduction and training, and vulnerability is I’m looking for a problem and I see a gap that could be through a risk assessment, it could be through what’s called vulnerability scanning where they’re actually you’re looking at the technology, and then you’re actually reducing that risk over time through actions that you’re taking. Training as well, we talked about that, building that culture of cybersecurity where people lean in and and want to protect the company. And then the right of boom piece, response time, recovery, regular assessments, it’s an ongoing loop. These are like teams of, or sports teams where you’re always maturing and you’re always moving forward. It wouldn’t be a a stagnant program in any sense of the word. Okay? So a couple of things around regulatory compliance challenges, just to highlight these. Again, mentioned a few of these earlier, and I’ll still go back to the the NICG and reference it. The new federal rules too around gaming compacts and expanded reporting requirements, it’s interesting. These don’t specifically call out cybersecurity, but what they are doing is they’re calling out reporting that you now have to catalog, capture, and then submit. And anytime you’re collecting more information and more data, especially in some of the sensitivity of the reports that they’re asking for, you create another risk scenario where they could be attacked or they could be captured for ransom, you know, or or something may happen to those. So you want to make sure you’re adding those controls to the level of sensitivity of the reports being created. The other thing I’ll mention, if you’re not aware, is the TCGP and this notion about the grants and the grant program, which is really, really positive in my opinion. It does require that you have some basic things in play, but it’s a really positive program that we’ve seen a lot of different tribes take advantage of. So I definitely suggest that you look at that if you haven’t already, and that you go ahead and look at building some of the foundational pieces like the planning committee and a cybersecurity plan out of the out of the bigger side of it. And then the bigger thing is just kinda keeping up with the rule changes and and the things, you know, as they come at you. K? Another quick poll question. Alright. Yep. I would agree with you on understanding the new rules. We have teams that just focus purely on that, but but they do change often, and it’s important to to stay current and and and really focus on, you know, what you can do and and and what you need to do as they come out. So the last real topic here is around artificial intelligence. And, you know, it’s a good and a bad thing. So a lot of the cybersecurity tooling and technical solutions today are actually leveraging artificial intelligence to help them identify anomalies and take action as well, which is really, really important because they can do it faster at times and they’re also working twenty four seven. So so it’s really good to do that. When I’ve built security operation programs in the past, a lot of times I will allow the third party or the the security operations center to take the first action, to quarantine a machine or something of that nature. And then my team was always trained on how to come in and respond to that, how to do the forensics, how to do the investigation. Because, you know, it’s very expensive from an overhead perspective to have a team that is twenty four seven within your own organization. It just it just a commodity nowadays. So one thing to think about is AI is on both sides of the fence. So it’s helping and it and it’s helping your operations, and you’re probably using it in a lot of different areas of reporting and things of that nature. But the criminals are also using it as well. Some of the things we’re seeing is this notion of deep fakes, which is, hey. I’m gonna I’m gonna sound exactly like John, and I’m gonna gonna send out a call and and ask somebody to do something on John’s behalf. Or even the the deepfake of a video where I’m gonna look and sound exactly like John and and do something nefarious. Right? So that is real, and it is a challenge, and you wanna educate your teams on it initially. Some of the other things it’s doing is phishing emails and and how does it do social engineering because the AI and and and what’s called an agent can actually go pull information from things like ancestry dot com or LinkedIn or different places and combine it together to be really effective in an phishing email or a social engineering attack. So you have to kind of pay attention to what’s happening in this space and and make sure that as your teams are looking at how AI can make you more efficient or, you know, how you can use it in innovative ways in your gaming and hospitality. You gotta look at the other side of it as well, which is how are how do you think the criminals are gonna leverage it and how are they gonna make an attack out of it or make it do an attack on on their behalf. Right? It’s just the world we live in, right or wrong, and and that’s where it’s evolving. So I did wanna bring that up as an area to to think about and and consider. And we do have, I think, one last poll question as well. Hey, John. You’re doing great on time. You have about twenty minutes left. And, I do have some questions, but think we’ll let you finish up, and we’ll tackle those questions for you. Oh, absolutely. So, yes, occasionally, not sure. Okay. Yep. And the not sure is realistic. I mean, there’s there are things happening and there are no at the moment, there’s not a lot of tooling to help help you find or, you know, see that it truly is AI and then attack. So it’s something just to pay attention to and be aware of like we talked about. And then the other thing I know that a lot of the sovereign nations are talking about, you know, creating their own language models or their own AI that are separate from anything else. And I I think that’s a good thing, personally. You know, I’d love to see that that happen. So, yeah, Chris, we do have some discussion questions. Love to open up or or see if if there are any other questions that are out there. Why don’t you go ahead and cover these discussion questions? My questions well, you know what? Forget it. Let’s go for, the questions from the audience. Yep. The first question is, our IT department is just me and one other person. We can’t monitor security twenty four seven. So how does this how do you coordinate outside resource help? How do you prevent redundancy that you you’ve hired maybe three three different firms to help you out. What does that look like? Is there one company that can provide a solution for all things? Yeah. That’s a really good question. There are some companies that are emerging now over the past three to to five years where they are more holistic. And and since you’re in the the IT department, these companies would provide an endpoint solution. They’ll provide email, you know, monitoring. They’ll provide the actual monitoring itself and first action steps as well, and they’re they’re combined. So I’ll be glad to to share some of those offline if you don’t mind. I’d rather not just kinda throw them out on the on the table, but there are some companies that are doing that now very effectively, and it is it is something you really should think about. The the other thing I would say is the materials that we just went through and trying to help position the economics of this is super important to to the role that you have in my opinion. Because one or two IT teams that are also accountable or IT individuals that are also accountable for cybersecurity is what we’ve been running into in working with a lot of different tribes. And I think that you have to really get to an understanding with the tribal council of, you know, that proactive stance that you need to take, and you just can’t. If if you’re doing IT as two individuals for around three hundred people, I know you’re swamped operationally almost every day. I mean, I can just imagine. And so hopefully some of this material will help you be able to explain the need for offsetting that either with some third party help like we talked about a moment ago or can you get some more help yourself and, you know, can you bring in some some junior people that you train up as well or can you get some people that have other roles to help you. Right? Because it’s a bigger it’s a bigger job than than just one or two people, unfortunately. We’re seeing that. Unfortunately, we’re seeing that. We have two questions from attendees that are around vendors. So I’m to read both of them. Are there specific patterns of attacks seen through vendors or third party integrations? The second question is, what’s the best practice for handling remote vendor access, VPN, jump servers, or Zero Trust gateways? Okay. Awesome. So let me hit the first one first. The most common the most common scenario is the vendor gets attacked on their own and they simply stop their operation completely. And the problem with that is they may or may not even return your phone call. And and if they’re instrumental to your operation and you just lost them, you you’ve got a real problem. I mean, I had a scenario at a company I worked with where I was supporting multiple small businesses from a corporate headquarter. And one of the small businesses that hired a web company that wrote their website, which did all the interaction with customers, it allowed customer orders, everything else. And one day they just went offline. We couldn’t reach them. We couldn’t call them. We ended up having to fly to where their headquarters were and walk to their office to engage them. And that was a week after the event started because they just disappeared and they had no plan at all in how to deal with it. They had no backup support to even call and tell us what was going on. Right? So that would be the one that I’ve seen that that’s really the harshest one. When you look at other scenarios of attackers coming through a third party to get to you, that’s a reality. And and the thing there goes to the next question that was asked about jump servers and things of that nature. Jump servers are probably one of the one of the best in my opinion. I’m not a big fan of of VPN anymore. I would also say you can default into the constructs around zero trust. And zero trust is not a single technology. It’s a concept more than anything. But if you think about what it does is identifies or it aligns identity management with what that person and identity can actually do and access. We had it at the aviation company to where the the aircraft mechanics could never see the information on one of our customers who was flying because there was no reason for them to. So we just had it segmented that way through the concept of zero trust. You could do the same with third parties. So you just need to kinda sit back and see how does that work for you and where you are in your own technical journey, And can you leapfrog as you set up some of those suppliers to use those concepts of Zero Trust in my opinion? And then the other thing like we talked about is monitor them. You know, I hate to say it, but you’re better off monitoring versus trying to send them a spreadsheet and ask them a bunch of questions in my opinion. We have another question from Dell. Can you give specific details of what specific cyber insurance should be obtained and what coverage amounts might be best? Interesting. So cyber insurance normally covers breach notification. So how do I what cost is it for me to notify the customers that data was breached. Right? It also can cover an operational impact, to a degree. So what you have to figure out is what are those numbers and then how do I take that information and put it out for bid from different underwriters in the cyber world. So as an example, back to the aviation company because that was the most recent for me, we carried ten million dollars in cyber insurance. And most of that was focused on the breach notification coverage, not the operational coverage. And the reason was the client base we had was a very luxury client base. And so we knew that it’s super important to control media, control how we notified and that’s where we focus. Now the other thing we did to keep the deductibles low and the cost low is we presented to an insurance broker annually what our program was. So we talked about a cybersecurity plan earlier. And so if you have the plan and you actually have the key metrics, you’re gonna wanna take all of that and present your maturity level to a an insurance broker who will then have multiple underwriters bid for your for insurance policy is how it works. And that’s going to give you the best deal. And doing that year over year, we were actually able to reduce the outlay and the cost and the deductible versus you know, maintain the same ten million coverage year over year just because we showed them we were maturing the program year over year. Do do you think, John, that, like, you had the example of a house. Do you think a lot of, businesses rely on their insurance rather than be proactive just like we rely on our home insurance and hope that there’s not a fire, but we probably don’t do everything that we should to protect our home? I I unfortunately have seen that happen, and and that’s why I mentioned earlier you have to be careful because a cyber insurance policy normally carries with it, these are minimal foundational things you have to have in place, and and they expect that you’re gonna have them. And if you get into a situation, normally in an event itself, they will inject a person to be a part of your event response team and they call them let’s see, they call them an event coach, I think, an incident coach, and they will inject them normally in to be a part of that. And sometimes those are attorneys, at least it depends on the insurance firm. So the reason they do that is they want to see have you done your testing, have you done your incident response tabletops? Like we saw in the poll, it looks like a lot of you are, which is awesome. But they wanna see that you actually have these foundational elements in place because if you don’t, they’re gonna say, oh, we’re not gonna cover you. And I’ve seen that happen, unfortunately. So you’re right, Chris. I think a lot of people do sit and go, well, I’m not gonna worry about investing. I’m just gonna get cyber insurance, I’ll be okay. And it just, unfortunately, doesn’t work that way nowadays. A couple more questions. You mentioned you actually threw out a number for a potential budget, which Yep. A lot of our a lot of webinars we have, well, it depends. So I think a lot of people probably wrote down the figure, which was three dollars per employee per day. Yep. And does that percentage all come out of the IT budget, or revenue? Can you go just a step deeper on that? Yeah. So I’ve not been a big supporter nor a fan over the years of cyber is a percentage of an IT budget because it just doesn’t work that way. And it even doesn’t work when in my opinion, when you say cyber is a percentage of revenue, quite honestly. What I have found in building these programs and running them, you know, I ran I ran the one at a global manufacturer, again, massive company, publicly traded company, and we were running seventy five thousand employees and it was two dollars and seventy cents per day. And the reason I built that metric was honestly so I could walk down the hall with the executive team and say, it’s a Starbucks coffee per day for an employee. And that’s all we cost, guys. You know? And so also we had then the basis for if the employee number went up or went down, we could shift that. Right? So it wasn’t tied to revenue and it wasn’t tied to a percentage of of of technology spend. And and I think that’s really important. So two dollars and seventy cents at a manufacturer, three dollars and thirty two cents at a luxury private aviation company. So I I rounded out the number I threw out here was three dollars ahead. And you have to back into that doesn’t that doesn’t mean you’re, you know, to IT team and and you’re running IT as well as cyber. I’m talking about sit down and do the math on, I’ve got resources, I’ve got technology, and all those things do are provide controls for the company. And that’s what we’re talking about. It could be firewalls. It could be, your VPN. It could be your identity, multifactor. You know, it could be your endpoint solution. All of those things, put them together, put the put the resources around how to manage them. It could be your third party as well doing your SOC. Add all of that up and and that’s where I think you should be. I mean, those are the programs we’ve run and they’re reasonable. They’re not they’re not way off the chart programs, you know. We have a question. What it’s a great question. What proactive steps can vendors take to help casinos recover faster even if the attack didn’t originate from the vendor side? A huge one is collaborate and partner on the incident training so that it’s one to one. Because if you don’t and you have a problem, your first thing as a vendor is how do I even know which customer to call first? Because I haven’t even done the testing. I don’t even know who I’m calling. Right? I may call a procurement person, not the person in ops that may need to really matter. So you have to kind of back up first and say, in my contracting and in my negotiations, did I actually identify how I would do incident management? Did I get a name on both sides? And have I ever been through a tabletop that actually collaborates across the two or not? And if I haven’t, I should be doing that. And then you’ve got to figure out, like I said, how do you prioritize? Do you prioritize on revenue of customer, potential impact by minute? What what is it that you do to say which client is first? I mean, hate to say it that way, but that that’s what you got to get to as a vendor helping the others. Right? The first piece is just communication. And when I say communication, I don’t mean I’ve got to be able to send an email and expect a response. No. I mean, like, need to go through and have multiple layers of how I’m gonna communicate to include personal cell phones, possibly even address and name of somebody’s house you can drive to. Because if something really bad happens, what do you do? Like the scenario I gave you, we truly did have to fly to a different city and go to their office to figure out what was going on. It was crazy. I’m not sure, if you could spell this out. I know that when you’re talking about left of boom, you’re talking about the different components to get started. But if folks are here today and they are part of the group that aren’t really comfortable with a long term plan, what is some low hanging fruit that you would say, please do this today, this week, this month that that are putting them and their operations in harm’s way? Yeah. You know, I think I think the biggest the biggest thing you can do first if you’re if you’re brand new and you and you really haven’t thought through much of this before, you know, all joking aside, schedule a lunch in a conference room and just sit and brainstorm. Okay. If if something happens to the building, what do we do? And then and then just write it down. And then if something happens to this system, what do we do? You know, how does that impact us? And then start figuring out in that brainstorming day or lunch, figure out what’s the most important thing to your operation. And that’s going to give you that first insight into how much does that bring in revenue wise? How much do we already provide control around it, how long would it be out before it truly impacts us financially, and that’s gonna give you insight into the risk level that you’ve gotta go focus on first. You have, in this discussion question, how are you preparing for AI driven threats? And you had mentioned, that’s super scary, how, using LinkedIn, using Ancestry, And how do you have to have a secret code now to to know on these phishing attacks, what is true? So can you discuss that a little bit more? We have about four minutes left unless our attendees have other questions, we could end with that. Yep. Yeah. No problem. I think, you know, there there are some newer technologies coming out that will help. I think just pure awareness is one of the biggest things today. I mean, there’s a scam right now that’s happening where, a person will take a son or daughter’s voice and then call the parent and say, hey. I’m in jail. Wire me fifty thousand dollars, honestly. And it happens. Right? And so, you know, as a family, you know, even for us as a family, it’s it’s there’s a code word. I mean, it’s it’s a dumb code word. Our our code word is poop, believe it or not. It it’s that funny. But if I don’t hear that code word, I’m not wiring your fifty thousand dollars. No way. I know it’s not my daughter. I mean, and she’s thirty years old, but we joke about it now, but we’ve had that same code word forever. So, you know, you you gotta come up with stuff like that, and you have to be aware. And that’s the main thing is just pay attention and be aware, you know. And if something doesn’t seem right, challenge it. John, Tricia, Jennifer, any closing thoughts the last three minutes? Alright. We are gonna have these slides for you guys. Chris, I really appreciate you hosting. This has been fantastic, and I love the questions that we got. Love to follow-up with anybody as well. Yes. John, thank you so much for hosting. Tricia, Jennifer, thank you for being back up. So what’s gonna happen next? You’re going to get a link to this tomorrow with a copy of the PowerPoint. And really, these folks are such great educators. If there’s questions that didn’t get answered, you think about, please email that to me. I will make sure to get it to them, and we can include it on the the follow-up. And if you’re not already registered with TGNH as a subscriber, please do so now by going to t g n h dot com. We have more from REDW in twenty twenty six, and we’d love to educate you and answer your questions. So thank you for joining us today. Again, thank you, John, and RADW. Alright. Thank you.

In this recent webinar for Tribal Gaming & Hospitality magazine, REDW Principal John W. Graham shared an economic framework that helps casino leadership make data-driven decisions about cybersecurity spending. Graham brings over 20 years of cybersecurity leadership across Fortune 500 companies and specializes in helping Tribal Nation casinos build cost-effective security programs. The insights and recommendations below come from his webinar presentation.

The bottom line? Prevention is 5-10 times more cost-effective than responding to an attack after it happens.

Here’s what you need to know.

Why Strategy Beats Reaction Every Time

Cybersecurity threats are evolving fast. Today’s risks range from classic phishing emails to ransomware that can shut down your entire operation to AI-generated deepfake videos designed to trick your staff into acting quickly. These threats can feel overwhelming, but there’s good news: a strategic, multi-layered approach can keep your casino protected.

The key is thinking about cybersecurity in two phases—”left of boom” and “right of boom.” The “boom” is a cybersecurity incident. Everything on the left side focuses on prevention and preparation. Everything on the right side deals with response and recovery.

The approach is built on the NIST Cybersecurity Framework, the industry standard developed by the National Institute of Standards and Technology. The framework has six core functions:

01 – Govern

Establish and monitor the organization’s cybersecurity risk management strategy, policies, and oversight

02 – Identify

Know your risks and vulnerabilities

03 – Protect

Put controls in place to safeguard your resources

04 – Detect

Spot infiltrations early

05 – Respond

Have a tested plan ready to execute

06 – Recover

Get back to full operations quickly

For tribal casinos, this framework addresses both your commercial gaming security needs and the unique considerations that come with tribal sovereignty.

What Does a Cyberattack Actually Cost?

Here’s the number that should get every CFO’s attention: the average cost of a ransomware attack is approximately $10 million per incident.

That $10 million includes:

Operational downtime – Lost gaming revenue while systems are down
Recovery costs – IT restoration, system rebuilding, data recovery
Cyber insurance deductibles – And the portions your policy doesn’t cover
Legal and notification expenses – Meeting regulatory requirements
Reputational damage – The long-term impact on customer trust

And here’s something many people don’t realize: hackers today operate like legitimate businesses. They have specialists handling different aspects of an attack—reconnaissance, initial access, lateral movement, data exfiltration, and ransom negotiation. Think about the fact that you’re dealing with an organization, not an individual in a basement with a hoodie on.

For Tribal Nation casinos, these costs can be even higher because of concentrated revenue streams. When your gaming floor has to shut down, you’re not just losing that day’s revenue—you’re potentially losing customers to competing venues during the recovery period.

The ROI of Prevention: Why $1 Spent Today Saves $5-10 Tomorrow

Here’s where the economic framework gets really practical. Prevention spending delivers 5-10x ROI compared to post-incident response costs. In other words, every dollar you invest in prevention saves you $5-10 in breach response expenses.

Cyber insurance is important—but it’s just one piece of the puzzle. Insurance only covers breaches when you’ve already implemented foundational protections: proper documentation, security infrastructure, backup procedures, and incident response plans. Tribal leaders who understand this recognize that insurance is the last line of defense, not the first.

How Much Should You Budget?

Taking a practical approach to cybersecurity budgeting makes the investment more tangible for everyone—from team members to executives to Tribal Council. Instead of vague “percentage of revenue” calculations, a dollar amount per employee per day method provides clarity.

Based on experience with organizations similar to tribal casinos:

$2.70

A Large Global Manufacturer

Ran cybersecurity programs at this rate per employee per day

$3.32

A Financial Services Company

Operated at this rate per employee per day

This daily per-employee figure encompasses everything: firewalls, multi-factor authentication, endpoint security, cyber insurance premiums, employee training, incident response planning, and recovery communications.

For a casino with 500 employees, a $3 per employee per day investment equals approximately $550,000 annually—a meaningful but manageable investment that protects against potential $10 million losses.

How Can You Prepare Your Casino Today?

Cybersecurity readiness isn’t just an IT issue—it requires Tribal Council backing and leadership involvement. When Tribal leaders understand the threats facing your operations, they can authorize the investments needed to build adaptive security programs that get stronger each year.

Organize your cybersecurity investments into five categories:

Infrastructure Hardening

Strengthen your network foundation with firewalls, secure configurations, and network monitoring tools that detect unusual activity before it becomes a crisis.

Network Segmentation

Separate your critical systems—like gaming servers and payment processing—from general business networks. If one area is compromised, segmentation prevents attackers from moving freely throughout your entire operation.

Staff Training

Your employees are your first line of defense. Monthly phishing simulations, security awareness training, and clear reporting procedures turn your team into active participants in protection rather than accidental vulnerabilities.

Vendor Risk Management

Third-party vendors who connect to your systems can be entry points for attackers. Evaluate their security practices, require strong security standards in contracts, and monitor their access to your networks.

Backup Systems

Regularly tested, off-network backups are your insurance policy against ransomware. If systems are encrypted by attackers, clean backups let you restore operations without paying ransoms.

Take Action This Month

Start with these high impact activities:

communication templates Create communication templates for different incident scenarios (so you’re not writing press releases during a crisis)

phishing Run monthly phishing simulations to keep security awareness high

tabletop exercises Conduct tabletop exercises that test your incident response plan with key stakeholders

Review vendor security requirements to ensure third parties meet your standards

These preventative steps save both time and money when an incident occurs.

Ready to Build a Stronger Security Program?

Proactive cybersecurity investments protect your tribal-run gaming operations from threats that could cost millions in losses and reputational damage. The economic case is clear: prevention delivers 5-10x better ROI than responding to incidents after they happen.

Watch the full webinar: For detailed case studies and implementation strategies, watch our on-demand webinar “What You Need to Know: Cybersecurity Economics for Tribal Nation Casinos” hosted by Tribal Gaming and Hospitality magazine.

Connect with our cybersecurity team: REDW’s cybersecurity advisory practice has extensive experience helping Tribal Nation casinos and gaming enterprises develop cost-effective security programs tailored to sovereign nation requirements. Whether you’re building your first comprehensive cybersecurity program or enhancing existing protections, we can help you make strategic investments that protect your operations, your guests, and your bottom line.

Contact John W. Graham and our cybersecurity team to discuss your casino’s specific needs.

Connect with John

Note: This article summarizes key concepts from the webinar “Cybersecurity Economics for Tribal Nation Casinos” presented by REDW Principal John W. Graham for Tribal Gaming & Hospitality magazine. For comprehensive cybersecurity guidance specific to your organization, please consult with qualified cybersecurity professionals.

How Much Should Your Casino Invest in Cybersecurity—and Where Should Those Dollars Go?